Battle damage increases from widespread cyberattacks

Management consulting firm Deloitte said that in 2010, "security and privacy had graduated from just an IT department concern." The company is right.

Cybersecurity is now addressed at the CEO and board of directors level and for good reason. The frequency and complexity of cyberattacks, added to high-profile successes of the attacks, have executives concerned about the business impact resulting from these assaults. Customer losses, an attack's cost, and stock price declines that often accompany the news of successful cyberattacks all combine to create a headache for C-level executives.

Deloitte points out that “the vast majority of businesses in 2011 have only limited capabilities to detect and react to point-in-time breaches.” You don’t have to look very far to find an example of what they are talking about. The businesses that have had their systems breached or compromised often experience high costs that impact their stock price. The organization’s incident investigation and added cybersecurity efforts impact the brand’s image. These costs hit the balance sheets and affect profitability and stock price.

For example, look at Sony’s breach that took place in April. Sony's public disclosure of the attack and intrusion might cost the company $173 million or more. Many believe that it will exceed that number. There is another key indicator that few have recognized or even publicized. When the company announced that Sony Online Entertainment had been hacked, share prices dropped and continued to drop as more information and additional breaches were reported. Sony’s stock dropped about 30 percent after a number of successful cyberattacks were publicly disclosed. At the beginning of March, Sony’s stock price was $36.27, and by June 17, it had dropped to $24.92. One blogger, covering the news event, put the decline in market capitalization in excess of $2 billion. Many believe that Sony has begun to recover from these hostile actions.

Cyberattacks and breaches continue to come to light. The International Monetary Fund, which is charged with the financial stability of the global economy, disclosed in June that it was the target of a major cyberattack. Financial giant Citigroup also recently fell victim to a cyberattack, as did payroll giant Automatic Data Processing through a breach involving a client of recently acquired benefits administration provider Workscape. These organizations are not alone.

Is this the new norm and just another cost of doing business? Is this the new measure of battle damage for digital conflict? It certainly looks that way. Deloitte rightfully points out that the regulatory environment that addresses protecting sensitive data has become more rigorous, diverse and complex. With an estimated 60 pieces of legislation moving through the process, the rigors and complexity are only going to increase. Deloitte accurately points out that “the vast majority of businesses in 2011 have only limited capabilities to detect and react to point-in-time breaches."

Why is that? I don’t believe anyone would dispute the significance of this threat. In addition, it is difficult to argue with the financial implications that result from successful cyberattacks. The Commerce Department just released its "Cyber Security, Innovation and the Internet Economy" green paper. Commerce Secretary Gary Locke said, “Our economy depends on the ability of companies to provide trusted, secure services online.” When you consider that cyber transactions have grown every year and account for $10 trillion in global trade, he is absolutely correct.

I was once told the definition of insanity is doing the same thing over and over again and expecting different results. This certainly seems to apply to our current cybersecurity efforts. We need to create a new approach to cybersecurity that supports continual change and adapts to the evolution of cyber threats. After all, it is a matter of economic and national security.